My understanding is that Luerl can remove various modules from being used, like preventing use of the IO library for instance.

I would say BEAM itself is not particularly sandboxed, and certainly clusters of Erlang nodes assume a lot of shared trust.